PACS hack lawsuit tossed
A federal judge has dismissed a class-action lawsuit filed by patients over a data breach at a four-location radiology practice and its countrywide parent company.
The plaintiffs alleged that a 2019-2020 hack of a picture archiving and communication system operated by Mount Kisco, N.Y.-based Northeast Radiology, which is corporately managed by 47-state Alliance HealthCare Services (now part of Akumin Inc.), had burdened them with an “ongoing imminent risk” of identity theft and fraud.
The claims included negligence, breach of contract, violation of a New York General Business Law section and “intrusion upon seclusion.” The patients added that, unlike credit-card theft, this type of privacy infringement gives the victimized no sure way to halt the dissemination of stolen personal information.
The PACS housed more than 1.2 million patient records, although the hack seems to have exposed those from only 29 patients.
Soon after notifying the public of the crime in 2020, Northeast stated there was “no evidence that any personal information was misused by the unauthorized individuals, and Northeast Radiology is not aware of any instances of fraud or identity theft as a result of this incident.”
In this week’s decision,[1] handed down Monday, U.S. District Judge Vincent L. Briccetti rejected the plaintiffs’ arguments and dismissed the case.
He ruled the plaintiffs, Jose Aponte II and Lisa Rosenberg, “failed to allege the type of concrete injury-in-fact necessary to sustain their claims under established standing principles.”
More from Briccetti’s decision as lightly edited for clarity by Law 360:
Even if plaintiffs lost some measure of privacy and that privacy was part of the bargain for medical services, [they] haven’t alleged any concrete harm from the alleged data breach. If plaintiff[s] bargained for data security, and no third party has misused [their] data, then plaintiffs have received exactly what [they] paid for.”
The judge further found that, contrary to the plaintiffs’ claims, Northeast had not “caused unauthorized access by third parties that intruded upon their seclusion,” which is a sufficient injury to confer standing, Law 360 notes.
Briccetti stated that the hackers, not the practice, improperly accessed the data.
More Coverage Related to Northeast Radiology and Alliance Healthcare Services:
Radiology provider launches investigation, notifies patients after hackers infiltrate PACS
Alliance Healthcare Services plans to ‘vigorously defend’ against ‘unfounded’ PACS-breach lawsuit
Alliance HealthCare finalizes partnership deal with Northeast Radiology
ACR awards Northeast Radiology high distinction
Reference:
- “Aponte et al. v. Northeast Radiology PC et al.” Filed May 16, 2022.